Codsmp.zip

$ xxd archive.enc | head 00000000: 6e 33 3c 3d 6c 6e 3c 3d 6e 33 3c 3d 6c 6e 3d 2c n3<=ln<=n3<=ln=, ... Those bytes look like ASCII after a simple XOR with 0x20 (space):

# ----------------------------------------------------------------- # 2. Decode archive.enc (single‑byte XOR 0x20) enc = (work/'archive.enc').read_bytes() dec = xor(enc, b' ') # 0x20 == space == 32 decimal inner_zip = work/'inner.zip' inner_zip.write_bytes(dec)

Inside this zip you will find a binary payload and a python script. The binary is encrypted with a custom XOR scheme. Your job is to recover the original binary and locate the flag.

workdir/ ├─ README.txt ├─ payload.bin ├─ secret.py └─ archive.enc 2.1 README.txt Welcome to the CODSMP challenge! codsmp.zip

$ binwalk -e archive.enc # no known file signatures

def xor(data, key): return bytes(a ^ b for a, b in zip(data, itertools.cycle(key)))

# Extract inner.zip inner_dir = work/'inner' inner_dir.mkdir(exist_ok=True) subprocess.run(['unzip', '-q', str(inner_zip), '-d', str(inner_dir)], check=True) $ xxd archive

print('\n=== Decrypting payload.bin with various keys ===') for name, key in keys.items(): dec = xor(payload, key) flag = extract_flag(dec) if flag: print(f'[name] Flag: flag') else: # store binary for manual analysis (work/f'payload_name.bin').write_bytes(dec)

$ file payload_decrypted.bin payload_decrypted.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, stripped Great – we have a Linux ELF binary now. Let’s run strings and objdump on it.

payload = (work/'payload.bin').read_bytes() keys = 'hardcoded' : b'codsmp', 'md5' : hashlib.md5(b'codsmp.zip').digest()[:6], 'sha256' : hashlib.sha256(b'codsmp.zip').digest()[:6], The binary is encrypted with a custom XOR scheme

def extract_flag(buf): import re m = re.search(br'FLAG\[^]+\}', buf) return m.group(0).decode() if m else None

'PK\x03\x04\x14\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' That is the ( PK\x03\x04 ). So archive.enc is a ZIP archive XOR‑encrypted with a single‑byte key 0x20 . 4.2.1 Decrypting it $ python3 -c "import sys; data=open('archive.enc','rb').read(); open('inner.zip','wb').write(bytes(b ^ 0x20 for b in data))" $ unzip inner.zip -d inner Archive: inner.zip inflating: inner/secret_flag.txt inner/secret_flag.txt contains:

Good luck! The README tells us that is XOR‑encrypted and that the script secret.py probably contains the key or the routine to decrypt it. 2.2 secret.py #!/usr/bin/env python3 import sys, itertools

data = open('archive.enc','rb').read() key = b' ' decoded = bytes(b ^ 0x20 for b in data) print(decoded[:64]) Result: